1819. [bug] The validator needed to check both the algorithm and

digest types of the DS to determine if it could be used to introduce a secure zone. [RT #13593]

1819. [bug] The validator needed to check both the algorithm and
digest types of the DS to determine if it could be used to introduce a secure zone. [RT #13593]
c941e32d · Mark Andrews · 39c7fc7e · c941e32d · c941e32d · c941e32d
Commit c941e32d authored Mar 04, 2005 by Mark Andrews
--- a/CHANGES
+++ b/CHANGES
+1819.	[bug]		The validator needed to check both the algorithm and
+			digest types of the DS to determine if it could be
+			used to introduce a secure zone. [RT #13593]
+
 1818.	[bug]		'named-checkconf -z' triggered an INSIST. [RT #13599]

 1817.	[placeholder]	rt13587

--- a/lib/dns/ds.c
+++ b/lib/dns/ds.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: ds.c,v 1.4 2004/03/05 05:09:19 marka Exp $ */
+/* $Id: ds.c,v 1.5 2005/03/04 03:53:20 marka Exp $ */

 #include <config.h>

@@ -81,3 +81,8 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
 	return (dns_rdata_fromstruct(rdata, key->rdclass, dns_rdatatype_ds,
 				     &ds, &b));
 }
+
+isc_boolean_t
+dns_ds_digest_supported(unsigned int digest_type) {
+	return  (ISC_TF(digest_type == DNS_DSDIGEST_SHA1));
+}
--- a/lib/dns/include/dns/ds.h
+++ b/lib/dns/include/dns/ds.h
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: ds.h,v 1.3 2004/03/05 05:09:42 marka Exp $ */
+/* $Id: ds.h,v 1.4 2005/03/04 03:53:21 marka Exp $ */

 #ifndef DNS_DS_H
 #define DNS_DS_H 1
@@ -51,6 +51,12 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
 *		to 'buffer'.
 */

+isc_boolean_t
+dns_ds_digest_supported(unsigned int digest_type);
+/*
+ * Is this digest algorithm supported by dns_ds_buildrdata()?
+ */
+
 ISC_LANG_ENDDECLS

 #endif /* DNS_DS_H */
--- a/lib/dns/include/dns/resolver.h
+++ b/lib/dns/include/dns/resolver.h
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: resolver.h,v 1.41 2004/04/15 23:40:26 marka Exp $ */
+/* $Id: resolver.h,v 1.42 2005/03/04 03:53:22 marka Exp $ */

 #ifndef DNS_RESOLVER_H
 #define DNS_RESOLVER_H 1
@@ -416,6 +416,12 @@ dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name,
 * crypto libraries if not specifically disabled.
 */

+isc_boolean_t
+dns_resolver_digest_supported(dns_resolver_t *resolver, unsigned int digest_type);
+/*
+ * Is this digest type supported.
+ */
+
 void
 dns_resolver_resetmustbesecure(dns_resolver_t *resolver);


--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: resolver.c,v 1.303 2005/02/08 23:51:31 marka Exp $ */
+/* $Id: resolver.c,v 1.304 2005/03/04 03:53:21 marka Exp $ */

 #include <config.h>

@@ -30,6 +30,7 @@
 #include <dns/cache.h>
 #include <dns/db.h>
 #include <dns/dispatch.h>
+#include <dns/ds.h>
 #include <dns/events.h>
 #include <dns/forward.h>
 #include <dns/keytable.h>
@@ -6520,6 +6521,13 @@ dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name,
 	return (dst_algorithm_supported(alg));
 }

+isc_boolean_t
+dns_resolver_digest_supported(dns_resolver_t *resolver, unsigned int digest) {
+
+	UNUSED(resolver);
+	return (dns_ds_digest_supported(digest));
+}
+
 void
 dns_resolver_resetmustbesecure(dns_resolver_t *resolver) {


--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: validator.c,v 1.126 2005/02/09 05:19:30 marka Exp $ */
+/* $Id: validator.c,v 1.127 2005/03/04 03:53:21 marka Exp $ */

 #include <config.h>

@@ -1561,6 +1561,9 @@ dlv_validatezonekey(dns_validator_t *val) {
 		dns_rdataset_current(val->dlv, &dlvrdata);
 		(void)dns_rdata_tostruct(&dlvrdata, &dlv, NULL);

+		if (!dns_resolver_digest_supported(val->view->resolver,
+						   dlv.digest_type))
+			continue;
 		if (!dns_resolver_algorithm_supported(val->view->resolver,
 						      val->event->name,
 						      dlv.algorithm))
@@ -1647,7 +1650,7 @@ dlv_validatezonekey(dns_validator_t *val) {
 		val->event->rdataset->trust = dns_trust_answer;
 		val->event->sigrdataset->trust = dns_trust_answer;
 		validator_log(val, ISC_LOG_DEBUG(3),
-			      "no supported algorithm (dlv)");
+			      "no supported algorithm/digest (dlv)");
 		return (ISC_R_SUCCESS);
 	} else
 		return (DNS_R_NOVALIDSIG);
@@ -1848,6 +1851,10 @@ validatezonekey(dns_validator_t *val) {
 		dns_rdataset_current(val->dsset, &dsrdata);
 		(void)dns_rdata_tostruct(&dsrdata, &ds, NULL);

+		if (!dns_resolver_digest_supported(val->view->resolver,
+						   ds.digest_type))
+			continue;
+
 		if (!dns_resolver_algorithm_supported(val->view->resolver,
 						      val->event->name,
 						      ds.algorithm))
@@ -1940,7 +1947,7 @@ validatezonekey(dns_validator_t *val) {
 		val->event->rdataset->trust = dns_trust_answer;
 		val->event->sigrdataset->trust = dns_trust_answer;
 		validator_log(val, ISC_LOG_DEBUG(3),
-			      "no supported algorithm (ds)");
+			      "no supported algorithm/digest (ds)");
 		return (ISC_R_SUCCESS);
 	} else
 		return (DNS_R_NOVALIDSIG);
@@ -2193,7 +2200,7 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
 }

 static isc_boolean_t
-check_ds_algorithm(dns_validator_t *val, dns_name_t *name,
+check_ds(dns_validator_t *val, dns_name_t *name,
 		   dns_rdataset_t *rdataset) {
 	dns_rdata_t dsrdata = DNS_RDATA_INIT;
 	dns_rdata_ds_t ds;
@@ -2205,9 +2212,13 @@ check_ds_algorithm(dns_validator_t *val, dns_name_t *name,
 		dns_rdataset_current(rdataset, &dsrdata);
 		(void)dns_rdata_tostruct(&dsrdata, &ds, NULL);

-		if (dns_resolver_algorithm_supported(val->view->resolver,
-						     name, ds.algorithm))
+		if (dns_resolver_digest_supported(val->view->resolver,
+						  ds.digest_type) &&
+		    dns_resolver_algorithm_supported(val->view->resolver,
+						     name, ds.algorithm)) {
+			dns_rdata_reset(&dsrdata);
 			return (ISC_TRUE);
+		}
 		dns_rdata_reset(&dsrdata);
 	}
 	return (ISC_FALSE);
@@ -2385,8 +2396,8 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
 	} else {
 		validator_log(val, ISC_LOG_DEBUG(3), "resuming proveunsecure");
 		if (val->frdataset.trust >= dns_trust_secure &&
-		    !check_ds_algorithm(val, dns_fixedname_name(&val->fname),
-					&val->frdataset)) {
+		    !check_ds(val, dns_fixedname_name(&val->fname),
+			       &val->frdataset)) {
 			if (val->mustbesecure) {
 				validator_log(val, ISC_LOG_WARNING,
 					      "must be secure failure");
@@ -2394,7 +2405,7 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
 				goto out;
 			}
 			validator_log(val, ISC_LOG_DEBUG(3),
-				      "no supported algorithm (ds)");
+				      "no supported algorithm/digest (ds)");
 			val->event->rdataset->trust = dns_trust_answer;
 			result = ISC_R_SUCCESS;
 			goto out;
@@ -2453,10 +2464,9 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
 			 * continue.
 			 */
 			if (val->frdataset.trust >= dns_trust_secure) {
-				if (!check_ds_algorithm(val, tname,
-							&val->frdataset)) {
+				if (!check_ds(val, tname, &val->frdataset)) {
 					validator_log(val, ISC_LOG_DEBUG(3),
-					      "no supported algorithm (ds)");
+					   "no supported algorithm/digest (ds)");
 					if (val->mustbesecure) {
 						validator_log(val,
 							      ISC_LOG_WARNING,